Providing authentication information, such as a password, on an input constrained device, such as a mobile telephone, is typically a tedious experience. A lack of a physical keyboard or the inclusion of a small keyboard generally means that users will be more prone to mistyping their entries than when providing the same information via a typical full-sized physical computer keyboard. Correctly typing an entry also typically takes significantly longer on an input constrained device than it does on a conventional physical computer keyboard.
Two ways that users attempt to compensate for the difficulties in providing authentication information are (1) the use a password manager and (2) the use of a shorter, easier to enter credential. Unfortunately, both “solutions” can be less secure than requiring that the user enter a typical, secure credential. If the credential is sufficiently annoying to provide, the user may forego use of the resource protected by the credential entirely.
Some input constrained devices attempt to compensate for the increased errors of users by making auto-completion or auto-correction suggestions. A strong password (e.g., including upper and lower case letters and at least one number) is often akin to a poorly spelled word—something an auto-correct feature would attempt to “correct.” Unfortunately, if a secure password is entered when there is auto-correction or auto-completion present, initial password entry will be more difficult than where such schemes are not used, since most suggestions would be likely to be incorrect and the user would have to say no to them. If the local dictionary of the auto-corrector learns the password (as it learns new words typed by users), then this degrades security. For example, the password would be stored in plaintext in the local dictionary.